WoopMoney is an innovative-reliable and flexible payment token and protected operations in Defi. A decentralized blockchain for decentralized protocols on #BSC
Unable to find manual contract audit (e.g. Certik, PeckShield, Solidity...)
CoinToken.addLiquidity(uint256,uint256) (#837-847) sends eth to arbitrary user
Dangerous calls:
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
Ensure that an arbitrary user cannot withdraw unauthorized funds.
Additional information: link
Reentrancy in CoinToken._transfer(address,address,uint256) (#776-811):
External calls:
- swapAndLiquify(contractTokenBalance) (#802)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
- uniswapV2Router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#828-834)
External calls sending eth:
- swapAndLiquify(contractTokenBalance) (#802)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
State variables written after the call(s):
- _tokenTransfer(from,to,amount,takeFee) (#810)
- _rOwned[_devWalletAddress] = _rOwned[_devWalletAddress].add(rDev) (#725)
- _rOwned[address(this)] = _rOwned[address(this)].add(rLiquidity) (#717)
- _rOwned[sender] = _rOwned[sender].sub(rAmount) (#881)
- _rOwned[sender] = _rOwned[sender].sub(rAmount) (#871)
- _rOwned[sender] = _rOwned[sender].sub(rAmount) (#893)
- _rOwned[sender] = _rOwned[sender].sub(rAmount) (#623)
- _rOwned[recipient] = _rOwned[recipient].add(rTransferAmount) (#872)
- _rOwned[recipient] = _rOwned[recipient].add(rTransferAmount) (#894)
- _rOwned[recipient] = _rOwned[recipient].add(rTransferAmount) (#883)
- _rOwned[recipient] = _rOwned[recipient].add(rTransferAmount) (#625)
- _tokenTransfer(from,to,amount,takeFee) (#810)
- _rTotal = _rTotal.sub(rFee) (#670)
- _tokenTransfer(from,to,amount,takeFee) (#810)
- _tOwned[address(this)] = _tOwned[address(this)].add(tLiquidity) (#719)
- _tOwned[_devWalletAddress] = _tOwned[_devWalletAddress].add(tDev) (#727)
- _tOwned[sender] = _tOwned[sender].sub(tAmount) (#892)
- _tOwned[sender] = _tOwned[sender].sub(tAmount) (#622)
- _tOwned[recipient] = _tOwned[recipient].add(tTransferAmount) (#882)
- _tOwned[recipient] = _tOwned[recipient].add(tTransferAmount) (#624)
Apply the check-effects-interactions pattern.
Additional information: link
Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
CoinToken.constructor(string,string,uint256,uint256,uint256,uint256,uint256,address,address,address,address) (#476-512) performs a multiplication on the result of a division:
-numTokensSellToAddToLiquidity = (_tTotal * 5 / 10000) * 10 ** _decimals (#490)
Consider ordering multiplication before division.
Additional information: link
CoinToken.addLiquidity(uint256,uint256) (#837-847) ignores return value by uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
Ensure that all the return values of the function calls are used.
Additional information: link
CoinToken._approve(address,address,uint256).owner (#768) shadows:
- Ownable.owner() (#204-206) (function)
Rename the local variables that shadow another component.
Additional information: link
CoinToken.setNumTokensSellToAddToLiquidity(uint256) (#908-910) should emit an event for:
- numTokensSellToAddToLiquidity = amountToUpdate (#909)
Emit an event for critical parameter changes.
Additional information: link
CoinToken.setDevWalletAddress(address)._addr (#656) lacks a zero-check on :
- _devWalletAddress = _addr (#657)
Check that the address is not zero.
Additional information: link
Reentrancy in CoinToken.transferFrom(address,address,uint256) (#549-553):
External calls:
- _transfer(sender,recipient,amount) (#550)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
- uniswapV2Router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#828-834)
External calls sending eth:
- _transfer(sender,recipient,amount) (#550)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
State variables written after the call(s):
- _approve(sender,_msgSender(),_allowances[sender][_msgSender()].sub(amount,ERC20: transfer amount exceeds allowance)) (#551)
- _allowances[owner][spender] = amount (#772)
Apply the check-effects-interactions pattern.
Additional information: link
Reentrancy in CoinToken.transferFrom(address,address,uint256) (#549-553):
External calls:
- _transfer(sender,recipient,amount) (#550)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
- uniswapV2Router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#828-834)
External calls sending eth:
- _transfer(sender,recipient,amount) (#550)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#839-846)
Event emitted after the call(s):
- Approval(owner,spender,amount) (#773)
- _approve(sender,_msgSender(),_allowances[sender][_msgSender()].sub(amount,ERC20: transfer amount exceeds allowance)) (#551)
Apply the check-effects-interactions pattern.
Additional information: link
Ownable.unlock() (#235-240) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(block.timestamp > _lockTime,Contract is locked.) (#237)
Avoid relying on block.timestamp.
Additional information: link
Address._verifyCallResult(bool,bytes,string) (#175-188) uses assembly
- INLINE ASM (#180-183)
Do not use evm assembly.
Additional information: link
SafeMath.trySub(uint256,uint256) (#28-33) is never used and should be removed
Remove unused functions.
Additional information: link
solc-0.8.4 is not recommended for deployment
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.
Additional information: link
Low level call in Address.functionDelegateCall(address,bytes,string) (#169-173):
- (success,returndata) = target.delegatecall(data) (#171)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence
Additional information: link
Variable CoinToken._maxTxAmount (#460) is not in mixedCase
Follow the Solidity naming convention.
Additional information: link
Redundant expression "this (#115)" inContext (#109-118)
Remove redundant statements if they congest code but offer no value.
Additional information: link
Reentrancy in CoinToken.constructor(string,string,uint256,uint256,uint256,uint256,uint256,address,address,address,address) (#476-512):
External calls:
- address(service).transfer(msg.value) (#508)
Event emitted after the call(s):
- Transfer(address(0),tokenOwner,_tTotal) (#509)
Apply the check-effects-interactions pattern.
Additional information: link
Variable CoinToken._transferBothExcluded(address,address,uint256).rTransferAmount (#621) is too similar to CoinToken._transferFromExcluded(address,address,uint256).tTransferAmount (#891)
Prevent variables from having similar names.
Additional information: link
isExcludedFromFee(address) should be declared external:
- CoinToken.isExcludedFromFee(address) (#764-766)
Use the external attribute for functions never called from the contract.
Additional information: link
BscScan page for the token does not contain additional info: website, socials, description, etc.
Additional information: link
Unable to find token on CoinGecko
Additional information: link
Unable to find token contract audit
Unable to find audit link on the website
Unable to find token on CoinHunt
Additional information: link
Young tokens have high risks of scam / price dump / death
Token has no active CoinGecko listing / rank
Token has a considerable age, but social accounts / website are missing or have few users
Young tokens have high risks of price dump / death
Young tokens have high risks of price dump / death
Twitter account link seems to be invalid
Unable to find Youtube account
Unable to find Discord account